OrnuE (H filE

INFORMATION &PRIVACY COMMISSIONERfor British Columbia

Protecting privacy. Promoting transparency.

April 92015

Andrew LaidlawA/Chief Administrative OfficerDistrict of Saanich770 Vernon AveVictoria, BC V8X 2W7

Dear Andrew Laid law:

Re: Investigation Report F15-O1—OIPC File No. Fl 5-60273

Thank you for your letter of April 2, 2015, regarding Investigation Report F15-O7: Use ofEmployee Monitoring Software by the District of Saanich.

I appreciate being advised that the District has adopted two of the recommendationsand that the remaining three will be forwarded to Council with a positiverecommendation for their adoption.

In your letter you also raise concerns about statements and findings made in theInvestigation Report and media release, and ask that I provide some comment on yourperspective. Primarily, you cite the following excerpt as being of limited accuracy:

One of the most disappointing findings in my investigation of the District ofSaanich’s use of employee monitoring software is the near-complete lack ofawareness and understanding of the privacy provisions of B.C. ‘s Freedom ofInformation and Protection of Privacy Act (“FIPPA”).

You indicate that the accuracy of that conclusion is limited to the interviews conductedand by the scope of the documents reviewed in the course of my investigation. Inaddition, you suggest that you would have been pleased to provide my office withinformation about the elements of your privacy management program and the content ofyour staff training.

I would like to convey some of the main elements of my investigators’ experience indealing with District staff in order to further help you understand the basis for theaccuracy of my statements.

Mail PC Box 9038, Stn Prov. Govt, Victoria BC V8W 9A4 Location 4th floor, 947 Fort Street, Victoria BCTel. 250-387-5629 Fax 250-387-1696 I Toll free through Enquiry BC 800-663-7867 or 604-660-2421 (Vancouver)

Twitter @BClnfoPrivacy I www.oipc.bc.ca

saan

ichne

ws.com

saan

ichne

ws.com

saan

ichne

ws.com

saan

ichne

ws.com

sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om

sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om

sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om

sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om

Page 2 of 4

By way of background, my staff requested that the district provide my office with alldocuments that were relevant to the investigation; those requests were made multipletimes, both in writing and in person. If there was any District policy, privacymanagement program, privacy manuals, privacy impact assessment, or other documentthat was relevant to our investigation, I question why that material was not forthcomingduring the course of the investigation.

District Submissions

When my staff first requested that the District provide its position on how its collection,use, or disclosure of personal information by Spector 360 was authorised by FIPPA, wewere provided with the following single sentence: “[tJhe purpose of Spector 360 was toprotect and secure the computers of high profile users.”

That answer did not mention FIPPA, provide any explanation for how the legislationauthorized Spector 360, or even refer to the collection of personal information. My staffproceeded to explain to senior District staff how FIPPA functioned; specificallyexplaining that in order to collect, use, or disclose personal information, the District mustbe able to point to a section of FIPPA that authorizes it to do so.

We received the District’s revised submissions by email from Laura Ciarniello onFebruary 10, 2015. The content of those submissions displayed what can again befairly described as a near-complete lack of understanding of FIPPA and its applicationto the District.

If the District does have a more sophisticated understanding of FIPPA in relation to itsprograms and activities than is described in the Investigation Report, then thatunderstanding should have been reflected in those submissions. However, it is notcredible that a public body with an understanding of privacy law or of FIPPA could havedrafted submissions that fundamentally misapplied the relevant sections of that Act.

Notice to employees

As discussed in the Investigation Report, FIPPA requires that public bodies provideindividuals with notice of the collection of their personal information. This is not just aFIPPA requirement; it is a reflection of the widely accepted basic privacy principle thatindividuals should be provided with clear and easily accessible statements about thecollection, use, or disclosure of their personal information.

The District provided my office with its Network Access Terms and Conditions Formwhich Laura Ciarniello stated provided adequate notification to employees of thecollection of their personal information by the District. However, this form did notmention FIPPA or the collection of personal information, and did not include any of theelements expressly required by law. It is notable that this form was not createdspecifically for the implementation of Spector 360, but was intended to serve as, among

saan

ichne

ws.com

saan

ichne

ws.com

saan

ichne

ws.com

saan

ichne

ws.com

sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om

sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om

sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om

sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om

Page 3 of 4

other things, notice for any collection of personal information by the District in relation toits communication and IT resources.

If the District had adequately implemented the privacy management program describedin your letter, it would have been reflected in the District’s compliance with the noticerequirements of FIPPA. It is not sufficient for the District to have in place a privacymanagement program if that program is not known of or understood by Districtmanagement and employees.

Director of Legislative Services

In your letter you ask why my staff “declined” an interview with your Director ofLegislative Services, Carrie MacPhee. By letter on January 26, 2015, my office askedLaura Ciarniello to provide the list of individuals that she had arranged for our office tointerview on February 3, 2015. In response by telephone she provided the following listof names:

• Forrest Kvemshagen, Manager of Information Technology;• John Proc, Assistant Manager of Information Technology;• Andy Laid law, Chief Administrative Officer; and• Laura Ciarniello, Director of Corporate Services

Upon reviewing the list of interviewees, my staff requested that Ms. Ciarniello alsoarrange for them to interview the IT technician who installed Spector 360, arepresentative of the Human Resources department, and an employee who was anexample of a computer user who had Spector 360 installed on his or her computer.

The Director of Legislative Services’ name was subsequently put forward as theexample of a computer user. After the other interviews on February 3, 2015,Ms. Ciarniello asked if my staff wanted to speak to the Director of Legislative Services.After confirming with Ms. Ciarniello that the Director was being made available as anexample of a computer user, my staff indicated that they no longer needed to interviewa user because they had the information they needed regarding whether users werenotified about the installation of Spector 360.

I hope you can appreciate that as the Director of Legislative Services’ name was neverput forward as the person responsible for FIPPA, but rather as a person who hadSpector 360 installed on her computer, it is inaccurate to state that my staff “declined tointerview” the individual responsible for privacy within the District. Rather, it would bemore accurate to state that my staff declined to interview the person selected byMs. Ciarniello to act as an example of a computer user who had Spector 360 installedon her computer.

saan

ichne

ws.com

saan

ichne

ws.com

saan

ichne

ws.com

saan

ichne

ws.com

sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om

sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om

sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om

sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om

Page 4 of 4

Almost without exception in an investigation such as this, the person responsible forprivacy takes a lead role in liaising with our office, and in explaining how the activitiesunder investigation are authorized by FIPPA. However, at no point during ourinvestigation was the Director of Legislative Services or any other District manager orofficer identified as the person responsible for FIPPA compliance within the District.

We have, since the release of the Investigation Report, been contacted by the Directorof Legislative Services who stated that she is the Director responsible for privacy andaccess to information. However, she was unable to explain to my staff why she was notidentified as such during the investigation or at any point play a role in liaising with myoffice.

I would also note that the Director of Legislative Services was present at theNovember 19, 2014 meeting where the implementation of employee monitoringsoftware was discussed, including specific discussion regarding onto whichworkstations the software would be installed. However, in the documents provided tomy staff by the District we can find no mention of any concerns being raised regardingthe privacy implications of this course of action, or of the need for the District to considerits obligations under FIPPA before proceeding.

The only District employee who questioned the privacy invasiveness of the use ofSpector 360 was the IT Technician who was tasked with its installation. As described inthe Investigation Report, that person voiced his concern but was specifically directed toinstall the software with the most privacy intrusive functions enabled.

I therefore respectfully suggest that these circumstances describe a public body inwhich management was not aware of its privacy obligations under FIPPA and that mypublic comments in this regard are validly founded. Thank you again for your letter.

Sincerely,

Elizabeth DenhamInformation and Privacy Commissionerfor British Columbia

pc. Mayor and Councillors, District of Saanich.

saan

ichne

ws.com

saan

ichne

ws.com

saan

ichne

ws.com

saan

ichne

ws.com

sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om

sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om

sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om

sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om sa

anich

news.c

om